Description
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
Published: 2025-12-10
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Role Metadata Disclosure
Action: Apply Patch
AI Analysis

Impact

A flaw exists in Keycloak’s administrative REST API that allows an attacker to read sensitive role metadata without proper authorization. The vulnerability resides in the /admin/realms/{realm}/roles endpoint, where insufficient access-control checks enable the disclosure of protected information. The exposed data consists of role metadata that could assist attackers in understanding the application’s security posture and potentially plan further attacks.

Affected Systems

The issue affects Red Hat builds of Keycloak 26.4 and the 26.4.11 patch release. Systems running these specific Red Hat packages are susceptible until updated to a patched build.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity rating, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Inferred from the description, the attack vector likely requires elevation within the administrative interface or access to the internal network to exploit the insufficient authorization. Without a valid admin session, an attacker would have limited capability to retrieve the sensitive role metadata.

Generated by OpenCVE AI on April 20, 2026 at 15:26 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat security fixes issued in RHSA-2026:6477 or RHSA-2026:6478 to upgrade Keycloak to a patched version.
  • Ensure that the installed Keycloak package is later than 26.4.11 and that its configuration matches the patched release.
  • Restrict access to the /admin/realms/{realm}/roles endpoint by limiting network reachability or applying role‑based access controls so that only authorized administrative users can query role metadata.

Generated by OpenCVE AI on April 20, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6q37-7866-h27j Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Wed, 10 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 10 Dec 2025 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
Title Keycloak-services: keycloak admin rest api: improper access control leads to sensitive role metadata information disclosure
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-284
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-19T23:14:08.825Z

Reserved: 2025-12-05T05:32:13.023Z

Link: CVE-2025-14082

cve-icon Vulnrichment

Updated: 2025-12-10T14:39:54.545Z

cve-icon NVD

Status : Deferred

Published: 2025-12-10T09:15:46.857

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14082

cve-icon Redhat

Severity : Low

Publid Date: 2025-12-05T00:00:00Z

Links: CVE-2025-14082 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses